Introduction: Why Measuring Indirect Usage Is Critical
Indirect access โ when third-party systems or users use SAP without a direct login โ is a major compliance risk that often only comes to light during audits. You canโt manage what you donโt measure.
By then, the damage is done: organizations face surprise license fees for unlicensed use. Proactively monitoring SAP indirect access helps avoid those audit surprises and gives you data to choose the most cost-effective licensing approach.
SAP auditors are vigilant about indirect use. Even seemingly harmless integrations can lead to substantial fees if not properly licensed.
Rather than wait for an audit, companies should continuously monitor indirect access themselves โ catching any unlicensed usage before SAP does and fixing it.
In short, measuring indirect usage is essential to avoid compliance problems and ensure youโre only paying for what you need.
SAP USMM (User Measurement) โ Capabilities and Limitations
USMM is SAPโs built-in tool for measuring license usage in a single system. It tracks the number of users for each license type and tallies specific usage metrics for audits. USMM proposes a license type for each user based on their activity, which you can adjust before submitting results.
However, USMM cannot reliably detect indirect access. If a third-party application connects through one technical SAP login, USMM will just count that one user account โ it wonโt reveal that dozens of external users or devices are behind it. Indirect usage stays invisible in USMMโs report. You need other methods to uncover indirect use that USMM misses.
SAP LAW (License Administration Workbench)
SAP LAW consolidates USMM data from multiple systems into one combined report. Using transaction SLAW, you import each systemโs USMM results and LAW merges them, eliminating duplicates. For example, if one person has accounts in three systems, LAW counts them only once (using the highest license type among those accounts). This gives a unified view of your total SAP license consumption.
Like USMM, LAW doesnโt flag indirect usage. A technical interface account will appear in LAWโs output as just another user, with no indication that itโs tied to an external system. LAWโs job is to prevent double-counting of users across systems โ it wonโt tell you how those users are actually used. LAW is essential for audit compliance, but by itself, it wonโt reveal unlicensed indirect access.
SLAW2 and LMBI โ Enhanced License Analytics
SAP has improved its license management tools with SLAW2 and LMBI. SLAW2 (LAW 2.0) is a modernized license workbench that streamlines user consolidation and adds analytics (a friendlier interface, graphs, and reports to spot anomalies).
LMBI is a BI-driven tool for analyzing detailed usage metrics and running โwhat ifโ license simulations (e.g., changing license counts or types to see the effect).
These tools help you be proactive in managing licenses. While they donโt directly expose indirect use, they can highlight unusual patterns or growth that might signal an indirect access issue to investigate.
SAP Audit Scripts & Indirect-Use Diagnostics
SAPโs auditors often use specialized audit scripts to detect indirect access. These custom ABAP programs (available via SAP Notes) scan your system for signs of third-party usage that standard tools might miss. For example, a script can list all RFC or web service calls into SAP and show which user IDs are making them, or find documents created by background technical users instead of interactive users.
You can run similar checks yourself before an audit. If a technical user is unexpectedly creating thousands of records or making frequent external calls, thatโs a red flag. By using SAPโs diagnostic scripts (or custom queries), you can catch indirect usage issues in advance and address them. The bottom line: donโt rely solely on basic user counts โ dig into detailed usage data like an auditor would.
System Logs & Integration Activity Analysis
Your SAP systemโs logs are a goldmine for spotting third-party activity. STAD shows detailed logs of each transaction step and remote call. By filtering STAD for external call types (RFC, HTTP) or specific technical usernames, you can see exactly what an interface is doing. For example, you might discover that user โPORTAL_USERโ executed a create-order function hundreds of times in one day via RFC โ a clear sign of indirect usage.
ST03N aggregates usage statistics by user and task type. In ST03N, you might see an interface account ranking among the top users by transaction count or workload, even though no human logs in with that ID. That indicates a high volume of activity coming from an external integration.
By regularly checking STAD and ST03N, you can quickly identify which accounts correspond to external interfaces and how heavily theyโre used. This ensures no high-activity integration user flies under the radar.
Monitoring Digital Access (Document Licensing)
To measure indirect usage under SAPโs Digital Access model, use the Digital Access Evaluation Tool (DAET). This ABAP report counts how many business documents are created by external (non-SAP) inputs in your system.
Run the DAET for a given period (e.g., the past year) and it will output totals for each of the nine Digital Access document categories (such as sales orders, invoices, purchase orders, etc.). It may report that 10,000 sales order documents were created in SAP through external systems over the last 12 months.
This information is crucial if you license indirect use via documents, because it shows your actual consumption. We recommend running this evaluation regularly (say, quarterly) to track trends. If the numbers are growing, you can respond proactively โ purchase additional document licenses or investigate the cause โ before an official audit.
For more help, read SAP Indirect vs Digital Access: How to Choose the Right Licensing Model.
Third-Party License Management Tools
Third-party SAP license management tools can provide extra insight into indirect usage, especially in complex environments. They continuously monitor usage and offer alerts and dashboards. A SAM tool can flag if an interface suddenly spikes in activity, and it can simulate licensing scenarios such as comparing the cost of named-user vs. document licensing for an interface. These tools are helpful but optional โ they donโt replace SAPโs official measurements. You still need USMM/LAW/DAET for compliance, but a SAM tool can give you early warnings and deeper analysis of usage patterns.
6 Steps to Detect Indirect Usage Before an SAP Audit
Use this checklist to regularly find and control indirect access in your SAP environment:
- Inventory Interfaces: List all external systems interfacing with SAP.
- Map Users: Identify which SAP user account each interface uses.
- Verify License: Check that each account is assigned an appropriate license type.
- Analyze Logs: Review STAD and ST03N logs for high activity or unusual usage by those accounts.
- Compare Models: Determine whether covering this usage with named users or with Digital Access (documents) would be more cost-effective.
- Remediate & Report: Resolve any issues (assign or purchase licenses, adjust integrations) and inform your compliance team of the actions taken.
Perform these steps periodically (not just during audits) to catch indirect usage issues early and avoid surprises.
For more insights, see SAP Indirect Access Mitigation & Contract Clauses.
Interpreting Findings & Next Steps
Once youโve measured indirect usage, decide how to license it appropriately.
If a small, known group of users is accessing SAP indirectly, assigning them proper SAP named user licenses may be the simplest solution.
If large numbers of external users or automated processes are driving the usage, SAPโs Digital Access (document licensing) might make more sense. Use your data to weigh the cost of named users versus documents and choose the option that fits best.
Crucially, fix any compliance gaps immediately โ donโt wait for an audit. If you found unlicensed usage, work with SAP to obtain the necessary licenses or adjust your contract now, rather than later.
In the future, integrate indirect usage checks into your routine. Schedule regular internal audits of indirect use (for example, quarterly digital access counts and monthly log reviews) so you stay on top of changes.
And ensure any new SAP integration goes through a licensing review during planning. By making these practices a habit, youโll keep indirect usage under control and be well prepared for any future audits.
FAQ: Indirect Access Measurement
Q: Does USMM detect indirect access?
A: Not well. USMM focuses on direct SAP user accounts, so if external users access SAP through one technical login, USMM will treat it as just one user and show no sign of the indirect usage behind it.
Q: Can SAP LAW identify third-party interface users?
A: No. LAW simply merges user data across systems and doesnโt indicate which accounts are external. An interface account will appear like any other user in LAWโs report, so itโs on you to recognize and properly license those accounts.
Q: How are documents counted under SAPโs Digital Access model?
A: By running SAPโs Digital Access evaluation report. This tool scans your system and counts how many business documents (orders, invoices, etc.) were created via external systems or users (i.e. indirectly).
Q: Which SAP transactions help find indirect usage?
A: STAD and ST03N are the main ones. STAD logs each external call (RFC, API, etc.) with details on the user and action, while ST03N shows aggregate usage by user. Using these, you can spot heavy activity by technical interface accounts that indicate indirect access.
Q: Does using a middleware or gateway eliminate indirect access license risk?
A: No โ it helps manage it but doesnโt eliminate it. A middleware or gateway centralizes external connections to SAP, making monitoring and security easier. However, all the usage through it still needs to be licensed (via named user licenses for the end users or Digital Access licenses for the documents created). Middleware reduces complexity, but you must still account for the indirect use in your SAP licensing.
Read more about our SAP Digital Access Advisory Service.
